Introduction: Making Your Cloud Strategy “Antifragile”
As organizations increase their reliance on the cloud to quickly and cost-effectively scale their digital operations, new security challenges arise. The convenience of speed and affordability create unprecedented volumes of data, and cyber assets are added to your cloud infrastructure faster than you are able to keep track of them. As we enter the next era of IT, we will be challenged to face attacks that can cause irreversible damage and undermine our ability to recover.
What does it mean to have an “antifragile” cloud strategy? Instead of focusing solely on security, which will ultimately lead to a fragile environment, or resiliency, which means bouncing back but not necessarily getting better, what if we instead focused on becoming “antifragile.” Let’s let harm create change for the better. Harm will make the system stronger rather than weaker. We’ll come back to this idea later in the blog.
How Have We Solved Cyber Threats in the Past?
By starting with a look at the Cyber Defense Matrix, a framework created by JupiterOne CISO Sounil Yu, we can navigate the security landscape to understand what products solve which problems and what the core function of each product is. As we map out vendors on this matrix, we see many on the left, but only a few on the right side of the matrix. Are we solving the right problems? Why is there this massive gap?
Before we look at how to solve the cybersecurity problems of today, we need to take a look at the history of cybersecurity problems and their unique solutions. As we review each decade, we notice a theme and how it aligns with the NIST cybersecurity framework.
“In each era we had a new challenge and required new solutions. And the solutions of the past didn't help us address the problems of the present,” Sounil Yu, CISO at JupiterOne explains in a recent webinar on the topic. He continues to explain that “We have a 2020 problem, and what we get from the market are 1990 and 2010 solutions.”
1980’s - Identify
The 80’s are known for vibrant colors, big hair, and the rise of computers. A core challenge for many business groups was, “What did we buy and how does it support our business?” This led to solutions in asset management and systems management.
1990’s - Protect
Moving on from big hair to 90’s grunge, we are met with a new wave of core challenges in the 90’s. The rise of chat rooms led to viruses, server-side attacks, and people walking into our networks and taking advantage of our insecure configurations. The solution to these problems included anti-virus, firewalls, and more secure configurations.
2000’s - Detect
As we enter the new millennium, we are inundated with logs and alerts from all these different tools we have, and seeing a rise in client-side attacks. To resolve these issues, we need things like IDs and SIM.
2010’s - Respond
The internet is booming, and there are fires everywhere. We need firefighters and firefighting tools like incident responders and IR tools (EDR, SOAR).
2020’s - Recover (or Resiliency)
The new era of the cybersecurity framework can be seen in the 2020’s. When we look at the key aspects of the CIA triad (confidentiality, integrity, and availability) there’s one form of attack that seems to undermine them all, causing irreversible damage: ransomware. How should we combat ransomware? When we look in the market, many vendors are bringing back solutions from the “prevention” age of the 90’s. Some solutions to help us become more recoverable or resilient include content delivery networks, copy on write, blockchain, and more.
As Sounil claims, “Our best solution is not more protect, detect and respond, but rather systems that are built to be DIE.” Sounil suggests that in the “recover” phase of the 2020’s, we put the DIE triad into practice.
Putting the DIE Triad Into Practice
What is the DIE Triad?
Traditional security frameworks such as the CIA triad were designed with on-prem infrastructure in mind, where the perimeter is well defined and the complexities are far more manageable. Your hybrid or cloud security strategy would be incomplete with this framework alone. As we look at the many solutions and designs, we begin to notice a new pattern that Sounil Yu calls the DIE Triad. Each of the attributes of the DIE (distributed, immutable, ephemeral) triad has interesting security value.
The best solution against a distributed attack is a distributed service. The more distributed something is, the harder it will be to take down.
Unauthorized changes stand out and can be reverted to known good. Making changes easier to detect and reverse.
Makes attacker persistence hard and reduces concern for assets at risk. Drives value of assets closer to zero.
The DIE Triad actually helps offset the need for CIA. As Sounil explains, “The more distributed something is, the less I need to worry about the availability of any one thing. The more immutable something is, the less I need to worry about the integrity of that thing, and the more ephemeral something is, the less I need to worry about the confidentiality of that thing.”
How to Categorize your Assets
When we think of risk and impact, we can use a common metaphor used within the cloud native world which is the idea of pets vs. cattle.
We love pets. We give them names. We nurture and care for them. We take it to the vet when it’s sick. Pets are like our Social Security numbers, personal computer, or server under your desk. We want to limit the amount of “pets” we have and want to be intentional about choosing to adopt a new pet.
Cattle are usually branded with obscure and unpronounceable names. When they get sick, they get removed from the herd. These are things like docker containers, credit card numbers, and serverless functions. We want to have a lot of cattle.
What’s a Pet and What’s Cattle?
Pets need to be secure and we will always have pets but we will want to be deliberate about “adopting” new pets because once we have a pet, we very rarely get rid of it. These are legacy assets and in the IT environment, no one loves maintaining legacy environments. But with cattle, we will want as many cattle as we can have. We can design them to be distributed, immutable, and ephemeral.
To determine what’s a pet and what’s cattle, we can start by looking at ephemerality to determine how long something is. By looking at the lifetime of a system, we can determine what’s a pet and what’s cattle.
In order to build an antifragile security model, we must find things that are pet-like and make them more DIE-like. Sounil Yu explains that “As we discover patterns or as we encounter situations where something is about to become a pet, what we want to basically do is say, how do we replace that system or that type of component with something that might be more DIE-like? And over time we end up with better and better design patterns that ultimately help us become more antifragile.”
What if there was a way to automate the process of discovering which assets are actual pets versus things we can treat like cattle? That’s where JupiterOne comes in.
Think of yourself as pet management. If you can spend your time being a pet control officer and less time being a cyber veterinarian, you will have fewer pets to worry about.
In a demo putting the DIE triad into practice on the JupiterOne platform, Aaron Jahoda, Senior Solutions Architect at JupiterOne, explains that the goal here is to use the JupiterOne platform to “identify the assets in our system and help our teams understand which of these assets are truly critical, which are more pet-like and should be pets versus which are more cattle, and try to help us move towards more being able to treat more of our assets as ephemeral.” He continues in his demo to explain the “end result of that is once I have critical assets defined, being able to then use that information to understand the attack surface for those assets.”
Learn more about the DIE Triad
This content has been repurposed from “Making Your Cloud Strategy Antifragile with the DIE Security Model,” a July 2022 webinar. This webinar was led by Sounil Yu, CISO at JupiterOne and Aaron Jahoda, Senior Solutions Architect at JupiterOne. To learn more about the DIE triad and watch the demo, you can tune in on-demand here.